Several organizations across Germany have been targeted by suspected initial access broker TA547, also known as Scully Spider, with attacks using a generative artificial intelligence-based PowerShell to deliver the Rhadamanthys information-stealing malware, reports BleepingComputer.
Intrusions commenced with the distribution of phishing emails spoofing German wholesaler Metro Cash & Carry with a password-protected ZIP archive containing a malicious LNK file triggering PowerShell execution of a remote script, according to a Proofpoint report. Further analysis of PowerShell code revealed elements not commonly found in human-crafted code, such as the presence of the hash sign before specific component comments.
Moreover, Proofpoint Director of Threat Research Daniel Blackford noted the presence of unusually "impeccable grammar" within the PowerShell code used in the attack. Additional testing done by BleepingComputer on ChatGPT-4 yielded similar output code, suggesting that threat actors either leveraged generative AI to develop the code or copied the code from a source using AI.
